Scattered Spider Uses RansomHub and Qilin Ransomware in Attacks

The notorious cybercrime group known as Scattered Spider has incorporated ransomware strains RansomHub and Qilin into its operations, according to Microsoft.

Scattered Spider, recognized for its advanced social engineering tactics, targets organizations to gain access and persist for further exploitation and data theft. The group is also known for attacking VMWare ESXi servers and deploying BlackCat ransomware.

This group shares characteristics with other threat actors tracked by the cybersecurity community as 0ktapus, Octo Tempest, and UNC3944. Recently, a significant member of the group was arrested in Spain.

RansomHub, which appeared in February, is considered a rebranding of the Knight ransomware strain, as analyzed by Broadcom-owned Symantec. Microsoft noted that RansomHub is a ransomware-as-a-service (RaaS) payload increasingly used by various threat actors, including those who previously employed other ransomware strains like BlackCat, making it a widely used ransomware family today.

Microsoft has also observed RansomHub being used in post-compromise activities by Manatee Tempest (also known as DEV-0243, Evil Corp, or Indrik Spider) after initial access was obtained by Mustard Tempest (also known as DEV-0206 or Purple Vallhund) through FakeUpdates (Socgholish) infections.

Mustard Tempest, an initial access broker, has previously used FakeUpdates in attacks that resemble pre-ransomware behavior linked to Evil Corp. These intrusions were notable for delivering FakeUpdates via existing Raspberry Robin infections.

The rise of new ransomware families like FakePenny (attributed to Moonstone Sleet), Fog (spread by Storm-0844, which also distributes Akira), and ShadowRoot, which targets Turkish businesses with fake PDF invoices, underscores the evolving ransomware threat.

“As ransomware threats continue to grow and change, users and organizations should follow security best practices, including maintaining credential hygiene, applying the principle of least privilege, and adopting a Zero Trust approach,” Microsoft advised.

To protect against ransomware attacks by groups like Scattered Spider, organizations should adopt a multi-layered security approach. Ensure regular backups of critical data and store them offline to prevent ransomware from encrypting backup files. Keep all software and systems up to date with the latest patches to close vulnerabilities. Implement network segmentation to limit the spread of ransomware within your organization.